@ Qualys. 


VMware Authentication 


Thank you for your interest in authenticated scanning! When you configure and use 
authentication, you get a more in-depth assessment of your hosts, the most accurate results and 
fewer false positives. This document provides tips and best practices for setting up VMware 
authentication. 


A few things to consider 


Why should I use authentication? 


With authentication we can remotely log in to each target system with credentials that you 
provide, and because we’re logged in we can do more thorough testing. This will give you better 
visibility into each system ’s security posture. Is it required? It’s required for compliance scans 
and recommended for vulnerability scans. 


Are my credentials safe? 


Yes, credentials are exclusively used for READ access to your system. The service does not 
modify or write anything on the device in any way. Credentials are securely handled by the 
service and are only used for the duration of the scan. 


Which technologies are supported? 


For the most current list of supported authentication technologies and the versions that have 
been certified for VM and PC by record type, please refer to the following article: 


Authentication Technologies Matrix 


What are the steps? 


First, set up a VMware user account and privileges (on target hosts) for authenticated scanning. 
Then, using Qualys, complete these steps: 1) Add a VMware authentication record to associate 
credentials with hosts. 2) Launch a scan using an option profile with authentication enabled (it’s 
always enabled in compliance profiles). 3) Run the Authentication Report to find out if 
authentication passed or failed for each scanned host. 


What’s supported? 


You can perform authenticated mapping and scanning of VMware vSphere components running 
VMware ESXi 4.x, 5.x and 6.x, and ESX 3.5 and above. VMware authentication is supported for 
maps, vulnerability scans and compliance scans. For authenticated maps, the discovery includes 
only ESXi hosts and the map results identify detected ESXi servers and their guest systems. 


What credentials should | use? 


You'll need to provide a service credential with at least Read-Only access to your ESXi hosts. 
Certain additional privileges are also required: Global.Settings, Host.Config.Change settings and 
Authorization.ModifyPermissions (ESXi 6.5 and 6.0). See the help to learn how to create a role 
with these required privileges. 
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Are your ESXi hosts joined to an Active Directory domain? If yes, then a Domain-level credential 
can be used. If not, then an individual credential on each target machine will be required. 


Tell me about authenticated maps 


If you run a map using VMware authentication, we'll use a vSphere API call to retrieve a list of 
virtual guest hosts residing on a VMware server. Only running virtual guests will be enumerated 
by the vSphere API and shown in your map results. Note only virtual guests that have VMware 
Tools installed appear in map results. 


Communications with VMware 

We establish communication against the vSphere API/VI API (port 443 by default) which is 
provided by each ESXi host. The vSphere API is a SOAP API used by all vSphere components. This 
is the same API the VI Client uses to communicate with ESXi hosts. Routing and firewalls 
between scanner appliances and this API must allow this communication. 


Our service does not currently communicate with/through vCenter Server. 


VMware Authentication Records 


You'll create VMware authentication records in Qualys to associate credentials with hosts. 


Where do | create records? 
Go to Scans > Authentication > New > VMware > VMware ESXi. 


*== Scans Scans Maps Schedules Appliances 


Search 
v | New w 
Ne Operating Systems... > Title 
| Network and Security... >} 

Global Default) Applications... > Windows Agent 138 

Agent Test Databases... > 10.115.76.151-10.115.76.15 
VMware... b vCenter 

Global Default EEN 15 
System Record Templates... > vCenter Mapping List 

Global Default — vCenter Mapping Upload 
Authentication Vaults 
Download... i 

Global Default Network Unix 10.115.68.145 
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Record Title Login Credentials 


Enter an ESXi user name or a Windows - - 
d i in the fi t @ Basic Authentication O Authentication Vault © Use vCenter 
omain user name in the forma opin Crodentisis 


Use the basic login credential or choose to use authentication vault for authenticated scanning. 


Comments Hosts esxi-51-34.qualys.com 
Use SSL 
Skip Verify D 
Port 443 | (Default is 443) 
Password * eseese 


Save Cancel 


sae aia acaba 


Provide a list of FQDNs for the hosts 
that correspond to all ESXi host IP 


dd hi h Loga Cdad > @ Basic Authentication (O Authentication Vault O Use vCenter 
addresses on which a custom SSL 


Use the basic login credential or choose to use authentication vault for authenticated scanning. 


certificate signed by a trusted root CA ps Username * 
is installed. Multiple hosts are comma 


Comments 
separated. 


Record Title Login Credentials 


qualys_user 


Use SSL 

Skip Verify o 

Port 443 | (Default is 443) 
Password * eeecee 


Certificate validation options 


Select the “Use SSL” option for a Record Title Login Credentials 
complete SSL certificate validation. 5 3 @ Basic Authentication (O Authentication Vault O Use vCenter 


Use the basic login credential or choose to use authentication vault for authenticated scanning 


Select “Skip Verify” if the host SSL E a" aualys_user 
certificate is self-signed or uses an Coments Hosts E PET 
SSL certificate signed by a custom 
root CA. A list of host FQDNSs is not 
required in this case. 
Port 443 | (Default is 443) 
Password * secese 


Save Cancel 
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By default the service communicates Son Sai 

s . . g @ Basic Authentication (O Authentication Vault O Use vCenter 
ace idee ov ak on port 443. This Use the basic login credential or choose to use authentication vault for authenticated scanning. 
can be customized. 


IPs Username * qualys_user 
Comments Hosts esxi-51-34.qualys.com 
Use SSL 
Skip Verify oO 
Password * eeeeee 


Save Cancel 

Can | access a password in a vault? VMware ESXi Authentication Record Launch Heip 
Yes. We support integration with Record Tite Login Credentials 
multiple third party password vaults, Coes aont ason EE © Ue cx 
. . . . Ise the basic login credential or choose to use authentication vault for authenticated scanning 
including CyberArk PIM Suite, Thycotic ps ates oe 
Secret Server, Lieberman ERPM, and a 

s . Comments losts 
more. Go to Scans > Authentication > 
New > Authentication Vaults and tell us 
about your vault system. Then choose 
“Authentication Vault” in your record =“ 
and select your vault type & name. At een g 
scan time, we'll authenticate to hosts a 10 Dee 
using the account name in your record 


Save Cancel 


IPs 


Add the IP addresses for the ESXi ee 
servers that the scanning engine Add IPs to your VMware ESXi record 
i x E Login Credentials 
should log into using the specified Enter or Select IPs Select IPs | Select Asset Group | Remove | Clear 
credentials. Note you can add one IPs (| 10.10.34.196 
particular ESXi server to only one =a 


VMware record in your account. 


(CD Display each IP/Range on new line 


Save | Concer 
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